Threat Actors Exploit Atlassian Confluence CVE202322515 for Initial Access to Networks CISA
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppSearchppThe Cybersecurity and Infrastructure Security Agency CISA Federal Bureau of Investigation FBI and MultiState Information Sharing and Analysis Center MSISAC are releasing this joint Cybersecurity Advisory CSA in response to the active exploitation of CVE202322515 This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts Threat actors exploited CVE202322515 as a zeroday to obtain access to victim systems and continue active exploitation postpatch Atlassian has rated this vulnerability as critical CISA FBI and MSISAC expect widespread continued exploitation due to ease of exploitationppCISA FBI and MSISAC strongly encourage network administrators to immediately apply the upgrades provided by Atlassian CISA FBI and MSISAC also encourage organizations to hunt for malicious activity on their networks using the detection signatures and indicators of compromise IOCs in this CSA If a potential compromise is detected organizations should apply the incident response recommendationsppFor additional information on upgrade instructions a complete list of affected product versions and IOCs see Atlassians security advisory for CVE2023225151 While Atlassians advisory provides interim measures to temporarily mitigate known attack vectors CISA FBI and MSISAC strongly encourage upgrading to a fixed version or taking servers offline to apply necessary updatesppDownload the PDF version of this reportppFor a downloadable copy of IOCs seeppCVE202322515 is a critical Broken Access Control vulnerability affecting the following versions of Atlassian Confluence Data Center and Server Note Atlassian Cloud sites sites accessed by an atlassiannet domain including Confluence Data Center and Server versions before 800 are not affected by this vulnerabilityppUnauthenticated remote threat actors can exploit this vulnerability to create unauthorized Confluence administrator accounts and access Confluence instances More specifically threat actors can change the Confluence servers configuration to indicate the setup is not complete and use the setupsetupadministratoraction endpoint to create a new administrator user The vulnerability is triggered via a request on the unauthenticated serverinfoaction endpointppConsidering the root cause of the vulnerability allows threat actors to modify critical configuration settings CISA FBI and MSISAC assess that the threat actors may not be limited to creating new administrator accounts Open source further indicates an Open Web Application Security Project OWASP classification of injection ie CWE20 Improper Input Validation is an appropriate description2 Atlassian released a patch on October 4 2023 and confirmed that threat actors exploited CVE202322515 as a zerodaya previously unidentified vulnerability1ppOn October 5 2023 CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation Due to the ease of exploitation CISA FBI and MSISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networksppPostexploitation exfiltration of data can be executed through of a variety of techniques A predominant method observed involves the use of cURLa command line tool used to transfer data to or from a server An additional data exfiltration technique observed includes use of Rclone S1040a command line tool used to sync data to cloud and file hosting services such as Amazon Web Services and Chinabased UCloud Information Technology Limited Note This does not preclude the effectiveness of alternate methods but highlights methods observed to date Threat actors were observed using Rclone to either upload a configuration file to victim infrastructure or enter cloud storage credentials via the command line Example configuration file templates are listed in the following Figures 1 and 2 which are populated with the credentials of the exfiltration pointppThe following UserAgent strings were observed in request headers Note As additional threat actors begin to use this CVE due to the availability of publicly posted proofofconcept code an increasing variation in UserAgent strings is expectedppDisclaimer Organizations are recommended to investigate or vet these IP addresses prior to taking action such as blockingppThe following IP addresses were obtained from FBI investigations as of October 2023 and observed conducting data exfiltrationppAdditional IP addresses observed sending related exploit traffic have been shared by Microsoft3ppNetwork defenders are encouraged to review and deploy Proofpoints Emerging Threat signatures See Ruleset Update Summary 20231012 v104384ppNetwork defenders are also encouraged to aggregate application and serverlevel logging from Confluence servers to a logically separated log search and alerting system as well as configure alerts for signs of exploitation as detailed in Atlassians security advisoryppOrganizations are encouraged to review all affected Confluence instances for evidence of compromise as outlined by Atlassian1 If compromise is suspected or detected organizations should assume that threat actors hold full administrative access and can perform any number of unfettered actionsthese include but are not limited to exfiltration of content and system credentials as well as installation of malicious pluginsppIf a potential compromise is detected organizations shouldppThese mitigations apply to all organizations using noncloud Atlassian Confluence Data Center and Server software CISA FBI and MSISAC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices to reduce the prevalence of Broken Access Control vulnerabilities thus strengthening the secure posture for their customersppFor more information on secure by design see CISAs Secure by Design and Default webpage and joint guideppAs of October 10 2023 proofofconcept exploits for CVE202322515 have been observed in open source publications5 While there are immediate concerns such as increased risk of exploitation and the potential integration into malware toolkits the availability of a proofofconcept presents an array of security and operational challenges that extend beyond these immediate issues Immediate action is strongly advised to address the potential risks associated with this developmentppCISA FBI and MSISAC recommend taking immediate action to address the potential associated risks and encourage organizations topp1 Atlassian CVE202322515 Broken Access Control Vulnerability in Confluence Data Center and Server
2 Rapid7 CVE202322515 Analysis
3 Microsoft CVE202322515 Exploit IP Addresses
4 Proofpoint Emerging Threats Rulesets
5 Confluence CVE202322515 Proof of Concept vulhub
6 Atlassian Support Upgrading ConfluenceppThe information in this report is being provided as is for informational purposes only CISA FBI and MSISAC do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by CISA FBI and MSISACppOctober 16 2023 Initial versionppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppSearchppThe Cybersecurity and Infrastructure Security Agency CISA Federal Bureau of Investigation FBI and MultiState Information Sharing and Analysis Center MSISAC are releasing this joint Cybersecurity Advisory CSA in response to the active exploitation of CVE202322515 This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts Threat actors exploited CVE202322515 as a zeroday to obtain access to victim systems and continue active exploitation postpatch Atlassian has rated this vulnerability as critical CISA FBI and MSISAC expect widespread continued exploitation due to ease of exploitationppCISA FBI and MSISAC strongly encourage network administrators to immediately apply the upgrades provided by Atlassian CISA FBI and MSISAC also encourage organizations to hunt for malicious activity on their networks using the detection signatures and indicators of compromise IOCs in this CSA If a potential compromise is detected organizations should apply the incident response recommendationsppFor additional information on upgrade instructions a complete list of affected product versions and IOCs see Atlassians security advisory for CVE2023225151 While Atlassians advisory provides interim measures to temporarily mitigate known attack vectors CISA FBI and MSISAC strongly encourage upgrading to a fixed version or taking servers offline to apply necessary updatesppDownload the PDF version of this reportppFor a downloadable copy of IOCs seeppCVE202322515 is a critical Broken Access Control vulnerability affecting the following versions of Atlassian Confluence Data Center and Server Note Atlassian Cloud sites sites accessed by an atlassiannet domain including Confluence Data Center and Server versions before 800 are not affected by this vulnerabilityppUnauthenticated remote threat actors can exploit this vulnerability to create unauthorized Confluence administrator accounts and access Confluence instances More specifically threat actors can change the Confluence servers configuration to indicate the setup is not complete and use the setupsetupadministratoraction endpoint to create a new administrator user The vulnerability is triggered via a request on the unauthenticated serverinfoaction endpointppConsidering the root cause of the vulnerability allows threat actors to modify critical configuration settings CISA FBI and MSISAC assess that the threat actors may not be limited to creating new administrator accounts Open source further indicates an Open Web Application Security Project OWASP classification of injection ie CWE20 Improper Input Validation is an appropriate description2 Atlassian released a patch on October 4 2023 and confirmed that threat actors exploited CVE202322515 as a zerodaya previously unidentified vulnerability1ppOn October 5 2023 CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation Due to the ease of exploitation CISA FBI and MSISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networksppPostexploitation exfiltration of data can be executed through of a variety of techniques A predominant method observed involves the use of cURLa command line tool used to transfer data to or from a server An additional data exfiltration technique observed includes use of Rclone S1040a command line tool used to sync data to cloud and file hosting services such as Amazon Web Services and Chinabased UCloud Information Technology Limited Note This does not preclude the effectiveness of alternate methods but highlights methods observed to date Threat actors were observed using Rclone to either upload a configuration file to victim infrastructure or enter cloud storage credentials via the command line Example configuration file templates are listed in the following Figures 1 and 2 which are populated with the credentials of the exfiltration pointppThe following UserAgent strings were observed in request headers Note As additional threat actors begin to use this CVE due to the availability of publicly posted proofofconcept code an increasing variation in UserAgent strings is expectedppDisclaimer Organizations are recommended to investigate or vet these IP addresses prior to taking action such as blockingppThe following IP addresses were obtained from FBI investigations as of October 2023 and observed conducting data exfiltrationppAdditional IP addresses observed sending related exploit traffic have been shared by Microsoft3ppNetwork defenders are encouraged to review and deploy Proofpoints Emerging Threat signatures See Ruleset Update Summary 20231012 v104384ppNetwork defenders are also encouraged to aggregate application and serverlevel logging from Confluence servers to a logically separated log search and alerting system as well as configure alerts for signs of exploitation as detailed in Atlassians security advisoryppOrganizations are encouraged to review all affected Confluence instances for evidence of compromise as outlined by Atlassian1 If compromise is suspected or detected organizations should assume that threat actors hold full administrative access and can perform any number of unfettered actionsthese include but are not limited to exfiltration of content and system credentials as well as installation of malicious pluginsppIf a potential compromise is detected organizations shouldppThese mitigations apply to all organizations using noncloud Atlassian Confluence Data Center and Server software CISA FBI and MSISAC recommend that software manufacturers incorporate secure by design and default principles and tactics into their software development practices to reduce the prevalence of Broken Access Control vulnerabilities thus strengthening the secure posture for their customersppFor more information on secure by design see CISAs Secure by Design and Default webpage and joint guideppAs of October 10 2023 proofofconcept exploits for CVE202322515 have been observed in open source publications5 While there are immediate concerns such as increased risk of exploitation and the potential integration into malware toolkits the availability of a proofofconcept presents an array of security and operational challenges that extend beyond these immediate issues Immediate action is strongly advised to address the potential risks associated with this developmentppCISA FBI and MSISAC recommend taking immediate action to address the potential associated risks and encourage organizations topp1 Atlassian CVE202322515 Broken Access Control Vulnerability in Confluence Data Center and Server
2 Rapid7 CVE202322515 Analysis
3 Microsoft CVE202322515 Exploit IP Addresses
4 Proofpoint Emerging Threats Rulesets
5 Confluence CVE202322515 Proof of Concept vulhub
6 Atlassian Support Upgrading ConfluenceppThe information in this report is being provided as is for informational purposes only CISA FBI and MSISAC do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by CISA FBI and MSISACppOctober 16 2023 Initial versionppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
